I'm a little confused why so many here are making it seem like this particular attack is completely unstoppable. Just don't include private videos in training or inference. My guess is that the agent that runs this viewer comment aggregation feature has the same context as the one that runs other AI studio things, but attack or not, this isn't functionally correct to begin with. This attack implies that if Samsung has a private video for a new rollable phone, they might see "Viewers are excited about Samsung Roll 1" from this. The viewer comment aggregation feature should have the same information as the viewers to form an accurate summary, and the AI studio suggestion agent should have private context.
Now, the bigger problem of being able to make a "[Important Notice from YouTube]" banner might be harder to solve, but they could at least remove links from the input and output.
I believe the feature is that you have a pending unreleased video and go to an llm for tips. When getting the tips it uses the pending video content and your recent videos info as context. So there's no holding back unlisted info short of not letting the user use it for their upcoming videos at all
And then the attack is to trick this recommendation system into putting a link out
I actually the attack is very likely already soft defeated by an interstitial telling you that you are leaving the site though, it would be weird if they didn't do that in general from this surface